IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

IWETHEY Home / IWETHEY Board / Security Forum / Klez highlights poor list hygiene
Post #37,175
by kmself
Picture of kmself
5/2/02 6:17:58 AM
Reply
New Klez highlights poor list hygiene
One of my trapped spams last night was an Enterprise Rent-a-Car promo list. I politely informend them that I was targeting strategic nukes in the event of a recurrance. Response came tonight that this was the result of a list management policy that doesn't require validation (unconfirmed opt-in). I respond with extensive pointers to mail-abuse.org list policy suggestions, and copy the message to friends in the press. Expect to see more of this.

More posted to the mailing list.

Stats at work: we've seen more bounced virus/executable mail in the past week than in the period Feb 1 - April 20. And daily counts are still tracking upwards.
--
Karsten M. Self [link|mailto:kmself@ix.netcom.com|kmself@ix.netcom.com]
[link|http://kmself.home.netcom.com/|[link|http://kmself.home.netcom.com/|http://kmself.home.netcom.com/]]
What part of "gestalt" don't you understand?

   Keep software free.     Oppose the CBDTPA.     Kill S.2048 dead.
[link|http://www.eff.org/alerts/20020322_eff_cbdtpa_alert.html|[link|http://www.eff.org/alerts/20020322_eff_cbdtpa_alert.html|http://www.eff.org/...a_alert.html]]
Post #37,251
by Ashton
5/2/02 5:33:13 PM
Reply
New - and school isn't even out yet.._______:-\ufffd
Post #37,267
by Meerkat
5/2/02 7:55:56 PM
Reply
New Maybe it originated in .au - school just went back this week
On and on and on and on,
and on and on and on goes John.
Post #38,361
by static
Picture of static
5/12/02 3:46:50 AM
Reply
New You know what it's turning into?
Klez is becoming the Nimda/CodeRed of mailing lists. The latter two have not been eradicated - I get probes almost daily to my web server from one or the other. I suspect it will be a very long time before Klez ever goes away.

I'm waiting for the first major ISP to punish a customer for running an incompletey patched IIS. Or for having a Nimda or Code Red infection. And for it to be reported in the major news outlets.

Wade.

"All around me are nothing but fakes
Come with me on the biggest fake of all!"
Post #38,446
by drewk
Picture of drewk
5/13/02 9:40:39 AM
Reply
New Is this from Klez?
From nobody Fri May 10 23:48:37 2002

X-Apparently-To: [email removed]@yahoo.com via web11204; 10 May 2002 23:48:29 -0700 (PDT)

Return-Path: <a1ollie@imail.ru>

Received: from 200.162.127.34 (EHLO 320sv012.gdfnet.df.gov.br) (200.162.127.34) by mta533.mail.yahoo.com with SMTP; 10 May 2002 23:48:23 -0700 (PDT)

Received: from netuno.arpdf.df.gov.br (200.186.173.66 [200.186.173.66]) by 320sv012.gdfnet.df.gov.br with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id KGR0FKA9; Sat, 11 May 2002 03:47:51 -0300

Received: from [200.35.107.144] by netuno (ArGoSoft Mail Server Pro v 1.8.0.3); Sat, 11 May 2002 03:48:37 -0300

Message-ID: <lw2e1tr6fnymzbg.110520020348@netuno.arpdf.df.gov.br>

Date: Sat, 11 May 2002 03:48:37 -0300

Content-Length: 5




QUIT


===

Looks like someone trying to unsub from something. Is this the kind of detritus people are seeing? And is it an indication that someone got something that claimed to be from my yahoo account?
===
I can't be a Democrat because I like to spend the money I make.
I can't be a Republican because I like to spend the money I make on drugs and whores.
Post #38,580
by static
Picture of static
5/14/02 7:50:07 AM
Reply
New I have no idea.
Not to crow, but I fortunately don't receive macro virii.

Wade.

"All around me are nothing but fakes
Come with me on the biggest fake of all!"
Post #38,922
by scoenye
5/16/02 3:19:28 PM
Reply
New Very, very unlikely
Klez infected mail contains a simple HTML page with an embedded empty form.

I don't think this is a response from someone who think you sent them a virus either. The reply goes to Russia, but it came through Brazil. This looks more like an answer to spam.

I got spammed by an outfit called MedicRec last week. They screwed up royally and apparently caused replies (so far all flaming...) to be sent to the whole target list (which then floods the repliers mailbox with bounces from the dud addresses on the list...). Maybe there's another idiot outfit like them out there.
Post #38,509
by kmself
Picture of kmself
5/13/02 5:47:34 PM
Reply
New Correction -- this wasn't Klez
...I've had an interesting set of followups with Enterprise, turns out that, though I was told this was Klez initially, it wasn't.

I'd done business with them before (they were literally around the corner), and they'd picked up my email address. Now that I think about it, I received one, possibly two, emails previously, one a confirmation (quite useful), the other was one which may have been sent immediately following Sept 11 -- basically saying "if you've got a car, don't worry about where you're returning it to".

So, while there are some busted lists out there, it doesn't look as if Enterprise was at fault. My apologies.
--
Karsten M. Self [link|mailto:kmself@ix.netcom.com|kmself@ix.netcom.com]
[link|http://kmself.home.netcom.com/|[link|http://kmself.home.netcom.com/|http://kmself.home.netcom.com/]]
What part of "gestalt" don't you understand?

   Keep software free.     Oppose the CBDTPA.     Kill S.2048 dead.
[link|http://www.eff.org/alerts/20020322_eff_cbdtpa_alert.html|[link|http://www.eff.org/alerts/20020322_eff_cbdtpa_alert.html|http://www.eff.org/...a_alert.html]]
Post #60,877
by rickmoen
Picture of rickmoen
11/3/02 2:02:42 PM
Reply
New Re: Klez highlights poor list hygiene
I don't think any of the major mailing list manager programs even make it easy any more to disable the standard three-way handshake subscription confirmation, even if you wanted to. In a rather vast world, many things are possible, but I suspect these went out with the dodo.

Anyhow, the occasional MS-Windows virus autoposted to a mailing list is merely amusing, and surely harmless to anyone with half a brain. What's truly pernicious is what then happens, on lists that have made the horrific error of munging Reply-To. Typically, a half-dozen other Microsoft users' antiviral programs then send out autoresponse "warning" e-mails. Because of the Reply-To munging, those warnings go to the mailing list, rather than to the malware sender.

Worse along those lines happens, on lists with munged Reply-To, with users who have misconfigured "vacation" autoresponders: instant mail loop, and fun for the whole network.

Virus "warning" autoresponders I've seen are brain-dead, anyway. I can't count the number of times I've been "warned" about supposedly sending Microsoft viruses from my copy of mutt on Linux, by antiviral packages so incompetent at SMTP header analysis that they were mislead by Klez or Bugbear fakemail. Over at the Linux Gazette Answer Gang, we've stopped even attempting to enlighten the guilty admins: Their mail domains just go straight onto the deny list.

Rick Moen
rick@linuxmafia.com

If you lived here, you'd be $HOME already.
     Klez highlights poor list hygiene - (kmself) - (8) - May 2, 2002, 06:17:58 AM EDT
         - and school isn't even out yet.._______:-\ufffd -NT - (Ashton) - (1) - May 2, 2002, 05:33:13 PM EDT
             Maybe it originated in .au - school just went back this week -NT - (Meerkat) - May 2, 2002, 07:55:56 PM EDT
         You know what it's turning into? - (static) - (3) - May 12, 2002, 03:46:50 AM EDT
             Is this from Klez? - (drewk) - (2) - May 13, 2002, 09:40:39 AM EDT
                 I have no idea. - (static) - May 14, 2002, 07:50:07 AM EDT
                 Very, very unlikely - (scoenye) - May 16, 2002, 03:19:28 PM EDT
         Correction -- this wasn't Klez - (kmself) - May 13, 2002, 05:47:34 PM EDT
         Re: Klez highlights poor list hygiene - (rickmoen) - Nov. 3, 2002, 02:02:42 PM EST

I think someone is doing some projecting here.
93 ms